Slashdot Mirror
Firefox Moving On From SSL 2.0
Juha-Matti Laurio writes "Plans are afoot to remove support for SSL version 2.0 in Mozilla Firefox, reports MozillaZine portal. Mozilla Foundation is eager to disable support for SSL 2.0 and have all Firefox installations use only the newer and more secure SSL 3.0 and TLS 1.0 protocols." From the post: "Netscape Communications Corporation introduced SSL 2.0 with the launch of Netscape Navigator 1.0 in 1994. Netscape Navigator 2.0 included support for SSL 3.0 when it was released in 1996. The specification for TLS 1.0, essentially a standardized version of SSL 3.0 with some differences, was published in 1999."
I'm not sure if this is just my knee-jerk reaction from using old technology frequently, but when I hear "remove support" it usually gets associated with bad things in my mind...
Why remove - why not just disable, and make it an entry in a config file to re-enable it? I'm all for removing any software that is insecure, but this might cause trouble for users trying to access sites. It's all about choice, people.
Get your own free personal location tracker
SSL 2.0 is so old that it should have gone the way of the Dodo bird. The point of removing 2.0 from Firefox is to force an upgrade by anyone who might be lame enough to still be running such old and insecure technology.
Good point. Hopefully they can catch the morons running TCP/IP and HTTP as well, those idiots.
Ooo! You're right! We better tell people to stop using RSA and HTTP immediately!
:-)
Be careful about such sweeping statements, please. They're more often wrong that right. And I know of quite a few people who are happy that RSA is finally out of patent protection.
Javascript + Nintendo DSi = DSiCade
If this technology is 11 years old, then I don't think anyone would like to use it today. Especially if it's encryption standard.
RSA was designed in 1977.
Age means absolutely nothing (for any technology), and instead any calls for replacement need to detail exactly what the weaknesses are and how they've been resolved in newer variants.
Then again, there are some people that still work on standards older than dirt. I work for a company whose site still gets hits from people browsing with Netscape 3.0 Gold.
Sometimes, I think one thing that holds Mozilla/Firefox back from wider adoption is the fact that many people are lazy enough to make a site only work in IE, and Firefox would break someone's favorite page as a result. It's the very standards we strive for that leave the masses lagging. I don't know what companies still use SSL2.0 for anything, but I don't doubt the existence of enough to make a developer cringe.
Perfecting Discordia
www.stevenvansickle.com
Mozilla isn't really in a position to be telling banks what to support. The banks will just block them out again if their browser doesn't do what they want. (Yes, I know, you can spoof your user agent string, but not everyone will do this)
In the past, it's been the other way around, they had to support autocomplete=off (an IE tag) due to insistence from banks: (bugzilla link)
Let me put it this way: It should have been replaced due to its age in relation to the maturity of the newer versions available. Especially when compared with the insecurity of the old version vs. the proven security of the new version.
Happy?
Javascript + Nintendo DSi = DSiCade
I've been using POP to fetch my e-mail from the same address for 11 years.
That the desire to remove the technology also makes the job of testing easier, especially when dealing with security related code, I am sure that testing of this is more of annoyance. People expect it to be secure and unexploitable. Then you can focus your development and patches on new code.
This isn't just about making stuff compatible for the users. Then the developers can focus on MSIE quicky mode rendering instead of SSL 2.0!
D.O.U.O.S.V.A.V.V.M.
Sorry, maybe I'm missing something:
But why is it a big deal that they're upgrading?
I thought this was a news site: not freshmeat or version tracker.
Is there some other item of importance here that I'm missing?
- - - -
KickingDragon
> The problem with Mozilla is that they're so swamped with bugs that some
> developers at least seem to have stopped caring about *any* bugs at all
> whatsoever anymore - to the point where they will not only not fix them,
> but actively try to prevent others from fixing them. Give bug 18574 a
> look some time, for example...
If this bug is typical of the sort of thing you're complaining about, go soak your head. If it were me, I'd have closed that bug as NOTABUG aeons ago. There are an infinite number of bizarroid image formats out there that, for one reason or another (in some cases good reasons, in some cases not, but that is neither here nor there) have not become important or common on the web. MNG is an ideal example and practically a case study in irrelevancy; it has been languishing in irrelevancy for years and shows absolutely ZERO signs of EVER breaking out of that and gaining any significant mindshare or import. The component owner is absolutely right to exclude this sort of nonsense. Mozilla is *not* primarily an image viewer; it is primarily a web browser, so the image formats it should support are ones that are *used on the web*, not every single obscure image format someone thinks is cool. (And that's quite aside from the fact that the main selling point of MNG is that it supports animation, something right-thinking people have been wanting to rid the web of since some misguided cretinous loser decided to introduce looping animated GIFs in Netscape 2.0; the only thing worse than animations on the web was the <blink> tag, may it rest in pieces.)
You speak of preventing bugs from being fixed, but if this is what you're talking about, you should speak of preventing irrelevant features that aren't even vaguely web-related from being needlessly introduced into a web browser.
Cut that out, or I will ship you to Norilsk in a box.
I think one thing that holds Mozilla/Firefox back from wider adoption is the fact that many people are lazy enough to make a site only work in IE
In some cases it isn't a decision of laziness, but of business. My former employer (a web devlopment firm) determined the webshare that non IE browsers got for one of our clients. It was only 5%. They then determined how much business that client did per year and figured out how many extra hours (and thus extra cost to the client) it would cost to make the features we were developing acceptable by alternative browsers (FF/Netscape/Mozilla/Opera/etc). The cost outweighed the extra profit, so we developed IE centric solutions.
Keep in mind I say this as someone who uses Firefox almost exclusively.
I was quoted out of context in my autobiography...
It's a troll, but I'll bite and see if I can get a free worm.
This is just wrong. A bit of research (http://weblogs.mozillazine.org/asa/, http://planet.mozilla.org/ shows that the developers, including Asa, routinely listen to users and often ask for comments. And from the point of view of an insider (bugs I've reported: 55), developers respond quickly and helpfully to anyone who isn't wasting their time, and even those who are but do it in a curteous way.
A few other specific points: the Mozilla Corporation is not for-profit. Nothing about a corporation says it has to be. It merely falls under business laws, making it easier for other businesses to interact with Mozilla.
And with respect to bug 18574, it's the one about MNG support. To quote a few things from the bug:
There are 11 types of people in the world: those who can count in binary, and those who can't.
Of course, now that non-IE browsers are used three times as much as then, the extra profit should be three times greater and probably now outweighs the cost. Making the site compliant with non-IE browsers now will probably only cost more than it would have to support them to begin with, and the profit the site could have been making all this time from users of those browsers is now lost. It would have been more profitable to support non-IE browsers from the start, rather than reverse the decision to support IE.
What a fool believes, he sees, no wise man has the power to reason away.
- Keep on supporting them forever.
- Stop supporting them and force them to upgrade.
#2 is usually the right thing to do. It's especially right in this case. Every single line of code that processes remote user input (ie, every line of SSL and any other web server code) could potentially contain a security vulnerability. Developers are not actively working on this antique code so bugs will be left there, perhaps forever. If you're looking for holes, abandoned code is a good place to look. This is similar to the Linux vulnerability not long ago where there was some obscure bug in the processing of a.out files that let binaries escalate. Well, we don't use a.out format anymore. We use ELF format and have for years, so no one was paying attention to that antique code. It should have been removed from the kernel, but it wasn't.The second issue is that OpenSSL is maintained by volunteers. I'd rather have them working to make a small set of features perfect, instead of wasting time on dead code that almost no one is using. Would you rather have the GCC crew working on improving Java or Fortran support?